JP2020506611A - Addressing to a trusted execution environment using a signing key - Google Patents

Abstract

Described herein are methods, systems, and devices for delivering protected data to a nested trusted execution environment (TrEE) associated with an untrusted requestor. The nested TrEE may include a trustlet running on a secure kernel. In one aspect, the targeting protocol head, or other intermediary between the requester and the key management system or other store of protected data, includes a request for protected data from a potentially untrusted requestor; It can receive a secure kernel certificate report and a key certificate report. The key certificate report can bind the trustlet public encryption key and the trustlet ID. The targeting protocol head can extract the protected data and encrypt the protected data with a trustlet public encryption key. The targeting protocol head can then send the encrypted protected data to the requestor. [Selection diagram] FIG. 1A

Description

  [0001] The present disclosure relates generally to trusted and / or isolated execution environments in computing devices, and more particularly, to secure delivery of one or more secrets or keys to a trusted execution environment.

  [0002] A key management system (KMS) is a secret storage device (store). A secret is typically a public ID, a guarded value, and a policy that governs who can access that value. In some cases, the secret may have an expiration date, other metadata, or the like. In a typical use case, the requestor authenticates to the KMS, establishes a secure channel, requests a secret value by presenting a secret ID, and returns the cleartext secret value to the requestor. Expect to. This value is protected from unauthorized eavesdropping and tampering by a secure channel between the requester and the KMS.

  [0003] A Trusted Execution Environment (TrEE), as used herein, is a virtual secure mode (VSM) trustlet, an SGX application, an ARM TrustZone application, or some other similar vehicle. (vehicle). TrEE has several unique properties that commonly have in common. TrEE generally has a complete cryptographic stack (in other words, a full menu of features, ranging from secure random number generation to hashing, encryption, and signature libraries using private keys, across the spectrum). ) Can be assumed to have a wide variety of cryptographic primitives). Also, TrEE typically has or is associated with a few or limited I / O equipment, and is typically a request-driven architecture (where the request is initiated by an untrusted "outside world"). request driven architecture). For example, a VSM trustlet may use unauthenticated Remote Procedure Calls (RPC). TrEE can also access key material or data that is not available outside of TrEE. This allows TrEE, among other things, to store data using untrusted I / O and then retrieve it, ensuring tamper resistance and confidentiality of state. . TrEE also typically has or is associated with attestable code, configuration, and key material. Specifically, the verifiable key material allows TrEE to receive a message encrypted from it from a third party and sign the message to the third party as coming from TrEE. I do.

  [0004] As with other applications, the use of KMS by TrEE may expose security limitations. Therefore, the key provided by the KMS can be used with or in TrEE to make improvements to enhance security.

  [0005] Examples of the present disclosure include, but are not limited to, methods, systems, and various devices. In one aspect, an untrusted request, at least in part, by a targeting protocol head, or other mediation between the requester and a key management system or other protected data storage. A method of delivering protected data to a nested trusted execution environment (TrEE) associated with an origin may be performed. The nested TrEE may include a trustlet running on a secure kernel. The targeting protocol head shall receive requests for protection data from potentially untrusted requestors, secure kernel attestation statements, and key certification statements. Can be. The key certificate report can bind the trustlet public encryption key and the trustlet ID. The targeting protocol head can extract the protected data and encrypt the protected data using a trustlet public encryption key. The target protocol head can then send the encrypted protected data to the requestor.

  [0006] Other features of the present systems and methods are described below. The features, functions, and advantages may be achieved independently in the various examples or may be combined in yet other examples, further details of which may be obtained by reference to the following description and drawings. You can check.

[0007] Embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. In the drawing,
FIG. 1A illustrates three examples of systems and processes for exchanging keys between a requestor and a key management system. FIG. 1B illustrates three examples of systems and processes for exchanging keys between a requestor and a key management system. FIG. 1C illustrates three examples of systems and processes for exchanging keys between a requestor and a key management system. FIG. 5 is a diagram illustrating an example of a control program monitor that implements an isolation region or a trusted execution environment (TrEE). Fig. 4 illustrates an example process for distributing protected data to trusted TrEE using an intermediary targeting protocol head. FIG. 4A illustrates another example process for distributing protected data to TrEE using an intermediary targeting protocol head. FIG. 4B illustrates another example process for distributing protected data to TrEE using an intermediary targeting protocol head. FIG. 5A illustrates an example process for distributing protected data to a nested TrEE using an intermediary targeting protocol head. FIG. 5B illustrates an exemplary process for distributing protected data to a nested TrEE using an intermediary targeting protocol head. 1 illustrates an example system that can implement one or more of the described processes. FIG. 3 illustrates an example of a data structure used to securely deliver transport keys and / or protected data to TrEE. FIG. 14 illustrates another example process of delivering protected data to a nested TrEE using an intermediary targeting protocol head based around another TrEE encryption key. 11 illustrates another exemplary process of delivering protected data to a nested TrEE using an intermediary targeting protocol head based on an internal TrEE encryption key. 1 illustrates an example of a general-purpose computing environment in which the techniques described herein may be implemented.

  [0018] As used herein, at least one key (eg, a signing or encryption key) or protected data / secret is trusted by a computing device, such as one or more physical or virtual computing devices. Systems and techniques for securely delivering in an environment (TrEE) are described. In one aspect, an intermediary can be implemented between the key requestor and the entity that owns the key management system or protected data. Mediation may be referred to herein as a targeting protocol head. The key requestor can be associated with a secure execution environment or TrEE, which can include one or more of a VSM trustlet, an SGX application, an ARM TrustZone application, or some other similar vehicle. TrEE may be separated from the requestor. The requester may request the targeting protocol head to deliver one or more secrets to the TrEE or a particular trustlet running inside the TrEE. In response to the request, the targeting protocol head may communicate with a key management system or other entity holding the secret to obtain one or more secrets for distribution to the TrEE. it can. The targeting protocol head can specifically target the protected data to TrEE so that the protected data is not accessible to requesters or attackers.

  [0019] In an aspect, the implementation of the targeting protocol head can eliminate the need for a secure channel between the requester and the key management system. The targeting protocol head uses the TrEE targeting techniques described herein to transfer one or more secrets or data to a TrEE or nested TrEE such that the secret / data cannot be accessed by the requestor. (Eg, a trustlet running on a secure kernel). In some cases, the owner of the protected data may not trust or potentially trust the requestor so that the requestor may wish to keep the protected data inaccessible for any of a variety of reasons. You can make it invisible. In some cases, it may be difficult or cumbersome to establish that the requestor is trustworthy, or to ensure that the requester remains trustworthy. Many of these concerns can be dispelled by assuming that the requestor is unreliable and isolating TrEE from the requestor. This separation can significantly enhance security against different types of attacks and provide other benefits and advantages, as described in more detail below.

  FIG. 1A shows a system and example process 100a for exchanging keys between a requestor and a key management system. As shown, the requester or requesting device 120 is associated with a client device or client side 110 and any desired secret (s) associated with a key management system or server or server side 105. 115 holders can be communicated. The requestor 120 can request one or more secret or protected data from the key management system 115, for example, to access specific protected data, perform one or more protection processes, and so on. The requestor 120 and the key management system (KMS) 115 exchange the desired secret / data using a public-private key security system or other key protocol as known in the art. can do.

  [0021] The requestor 120 may first authenticate with the KMS 115 at operation 125 and establish a secure communication channel by any of the techniques known in the art. Act 125 may include utilizing a public key system or the like. Next, utilizing the secure channel established by operation 125, requestor 120 may send a request for one or more secret / protected data to KMS 115 in operation 130. Upon verifying the request, the KMS 115 can return the secret or requested data to the requestor 120 over a secure communication channel in operation 135. As is standard in the art, at 135, the secret / request data can be transmitted over the secure channel without any additional protection above it. As a result, the secret / data transmitted in operation 135 may be exposed to the requesting device 120.

  FIG. 1B illustrates an example system and process 100b for more securely exchanging one or more secret or protected data between the requester 120 and the KMS 115 instead of the trusted execution environment (TrEE) 140. . Trusted execution environment (TrEE) 140 is another term used to indicate an enclave, ie, an isolated execution environment associated with requestor 120. 2 illustrates an example system and process 100b for more securely exchanging one or more secret or protected data between a requestor 120 and a KMS 115. TrEE 140 may be separated from requestor 120 such that code and / or data contained within TrEE 140 cannot be accessed (eg, read and / or write) by requestor 120. FIG. 2 illustrates an example trusted execution environment 200 where a computing device 205 may include logic 210 (eg, code) and state information 220 such as data. The status information 220 can be stored or located in the isolation area 215 so that it can be secured from unauthorized access. In some cases, data within isolation region 215 cannot be read or written directly by any entity other than logic 210 associated with isolation region 215. Isolation logic 210 determines what type of access is allowed to which type or portion of data 220. In one example, logic 210 may allow the value associated with data 220 to be increased and read, but not otherwise modify data 220. In another example, logic 210 may allow cryptographic operations using the key, but may not grant access to the value of the key itself. In the illustrated example, the logic or code 210 may be in a general area of the CPM 205, ie, an accessible area. However, it should be appreciated that in some cases, logic 210 may be located in the same or a different isolation region as state information 220.

  Returning to system 100b, a targeting protocol head (TPH) 150 can be implemented on server side 105 to serve as an intermediary between requester 120 / TrEE 140 and KMS 115. A protocol head may typically refer to a software implementation of a front-end protocol handler for a system that does not natively speak a particular protocol. Targeting may refer to cryptographic targeting of the execution environment. Taken together, the term can refer to software and / or hardware that implements a protocol for deriving secrets that target responses in TrEE. In an aspect, the targeting protocol head 150 is implemented as a virtual or cloud resource, for example, that can run on different hardware, software than KMS 115, and / or run separately from KMS 115. You can also. In certain aspects, an entity such as a data center may host and / or provide the targeting protocol head 150, for example, as a service. The targeting protocol head 150 performs two main functions: 1) the function of communicating with the KMS 115 to obtain secret or protected data from an external entity; and 2) the function of targeting the response of the requester 120 to the TrEE 140. can do. The use of the targeting protocol head 150 eliminates the need for the requestor 120 to authenticate directly to the KMS 115. KMS 115 yields the secret to targeting protocol head 150 but not to requestor 120. The function of the targeting protocol head 150 is to target the response of the requestor 120 to the TrEE 140, thus ensuring that the requestor 120 does not have access to the cleartext of the secret / protected data. Alternatively, the targeting protocol head 150 can authenticate to the KMS 115 on behalf of the requester 120, but with or without the identity of the requester 120, can do. In some cases, the targeting protocol head 150 must be convinced that the secret that the targeting protocol head 150 is trying to return to the requester's 120 TrEE 140 will soon become "secure." In this case, requestor 120 may provide attestable information about the state of TrEE 140 to targeting protocol head 150. This provable information includes a provable key material associated with the TrEE 140 and can encrypt the response to the TrEE 140.

  [0024] In some cases, multiple different processes may run simultaneously in the secure kernel, such as provided by one or more trustlets, with each trustlet and secure kernel each being considered as a TrEE 140. (For example, this is an example of a nested TrEE). In this scenario, each of the different trustlets has a session ID, a trustlet type, and / or other IDs that can be used to identify individual translets within the secure kernel (eg, both TrEE140). The response from the targeting protocol head 150 can be directed to a specific trustlet within the TrEE 140 identified in the request. This will be described in more detail below.

  For TrEE 140 targeting, there is no essential need to provide a secure channel between the requestor 120 and the targeting protocol head 150. This is because the request source 120 itself is not trusted and the response is sent. However, in order to protect access to the request itself (the secret that the requester wants), the authentication operation 160 may require that the requester 120 It should be appreciated that a secure channel may be added to the targeting protocol head 150. After or instead of the authentication in act 160, the requestor 120 may request the one or more secrets or one secret or protected data on behalf of the TrEE 140, for example, to deliver to the TrEE 140 in act 155. Can be sent to the targeting protocol head 150. In an aspect, the request may associate the TrEE 140 or the request may identify the TrEE 140. The targeting protocol head 150 can determine whether the TrEE 140 is reliable. In one aspect, authentication of the requestor 120 may rely on a type of clean room provisioning. In other aspects, authentication may rely on attestation.

  [0026] Clean room provisioning can be used when the requesting 120 device is legitimately assumed to be, for example, new and not compromised by malicious software. An example process for delivering protected data to a TrEE associated with a requester using clean room provisioning is described in further detail below with reference to FIG. An example process for distributing protected data to a TrEE associated with a requestor using a certificate (eg, a certificate service) is described in further detail below with reference to FIG.

  In any case, once TPH 150 has authenticated requestor 120 and / or has asserted the reliability of TrEE 140, TPH 150 authenticates KMS 115 in operation 165 and establishes a secure communication channel with KMS 115. Can be established. In an aspect, the KMS 115 can include or be associated with any entity that holds one or more secret or protected data, such as licenses, permissions, passwords, and the like. Upon establishing a secure communication channel with the KMS 115, the TPH 150 may send a request for protected data at operation 170. KMS 115 may return the requested secret at operation 175. The TPH 150 may send one or more secrets in operation 180, targeting the secret (s) or protected data in the TrEE 140.

  [0028] In an aspect, at operation 180, at least one of the following data structures can be utilized when delivering the protected data to the TrEE 140. An encryption identification key that can be built around a TrEE identity or certification process or certification log, or within an example of a nested TrEE (eg, a trustlet running on a secure kernel). identity key), as well as a signing identity key that can be embedded around the certification process. These are described in more detail below.

  FIG. 1C illustrates another exemplary system and process 100c for securely exchanging one or more secret or protected data between a requester 120 and a KMS 115 in place of a trusted execution environment (TrEE) 140. Show. System 100c may be a specific example of system 100b described above. In the system 100c, the targeting protocol head 150 may be a host guardian service (HGS) 150a. In the system 100c, the HGS 150a may receive a key protector 190 from, for example, a cloud host 185 or other entity that can instantiate or otherwise control the TrEE 140. In the system 100c, the requestor 120 can be associated with, for example, a virtual machine provided by the cloud host 185. KP 190 is a related U.S. patent application Ser. No. 14/14, filed Sep. 9, 2014, entitled "Secure Transport of Encrypted Virtual Machines with Continuous Owner Access". One or more aspects of the key protector described in US Pat. No. 481,399 (U.S. Patent Application Publication No. 2015/31818986) can be incorporated. KP 190 may contain one or more secrets that can be used by TrEE 140, such as a transport key. The KP 190 can essentially wrap the transport key so that it is accessible only to a set of guardians who are authorized to access the transport key. After authenticating and establishing a secure communication channel with the KMS 115 in operation 165, in operation 170a the HGS 150a may request the decryption key from the KMS 115 to read the contents of the KP 190 and derive the transport key. , KP190 can be encrypted. In response, the KMS 115 may send the decryption key to the HGS at operation 175a. The HGS 150a may then decrypt the KP 190 using the decryption key and derive one or more secrets (eg, a transport key) to send to the TrEE 140. The HGS 150a may then send the secret or transport key to the TrEE at operation 180 by one or more addressing techniques described in more detail below. In some embodiments, TrEE 140 may be addressed based on data from KP 190.

  [0030] It should be appreciated that, in some cases, the HGS 150a and the KMS 115 may be one entity, eliminating the need to establish a communication channel between them and eliminating the need for authentication. .

  [0031] In the system 100c, authentication between the request source 120 and the HGS 150a is unnecessary. As long as the cloud or fabric host 180 is healthy, which fabric host is communicating with the HGS 150a, if it is one of the servers in the fabric (this is verified by proof Can be), does not matter.

  FIG. 3 illustrates an example process 300 for delivering protected data to a requesting TrEE, where the requesting source is assumed to be trusted (eg, not compromised by malicious software). . As used herein, the dashed box or box in any figure is optional, indicating that the box may be omitted. Process 300 associates a TrEE with a TrEE, such as a public key of a public key private key pair (eg, an asymmetric key pair) generated by the TrEE or generated by the secure kernel that initiated the TrEE. An encryption key can be used. In other cases, the encryption key may be symmetric. As used herein, a secure kernel can refer to any part of a computing device that is associated with a higher level of security, as is known in the art.

  [0033] In this scenario, the TrEE 140 may be launched or initiated at operation 302 and at operation 304, one or more secret keys (eg, a secret encryption key) and a corresponding public key. Can be generated inside the TrEE 140. Then, in operation 306, the corresponding public key can be registered with the TPH 150 and associated with the identity of the requesting device and / or the identity of the requesting device. In some cases, the public key of TrEE 140 need only be registered once, allowing process 300 to begin at operation 308 after registering the public key. Thereafter, the requester 120 may authenticate with the TPH 150 in operation 308 by any known authentication technique. The TPH 150 may then look up a public key to use when delivering a response to the TrEE 140, for example, based on the registered public key of the TrEE 140 that can be associated with the identity of the requestor 120. This process can be referred to as "clean room" provisioning. This is because this can only be done safely when the requesting source 120 is known-good or when it is in a reliable state. In this example, there is no need for certificate-based authentication, and the request source 120 does not have to send a TrEE health certificate (THC) to the TPH 150. This is because the requesting source 120 can be trusted. In the absence of ubiquitous attestation services, validating that the correct TrEE 140 is targeted by TPH 150 is a viable option.

  Next, in operation 312, the TPH 150 can obtain the protection data for distribution to the TrEE 140, for example, from the KMS 115 as described above. Using the TrEE public key accessed by operation 310, TPH 150 may then construct, at operation 314, a message containing the obtained protected data to send to TrEE 140. TPH 150 may send the message to requestor 120 in operation 316.

  [0035] Upon receiving this message, in operation 318, the requestor 120 may forward it to the TrEE 140. Since the requesting source 120 cannot access the TrEE's private key, the requesting source 120 cannot decrypt the message and access the protected data. In operation 320, TrEE 140 can decrypt the message using the private key and access the protected data.

  FIG. 4A shows an example process 400 for delivering protected data to an untrusted requesting TrEE. Process 400 may utilize an encryption key associated with the TrEE, such as the public key of a public-private key pair. It is generated by the TrEE or, as in the case of a nested TrEE, by the secure kernel that initiated the TrEE and may be referred to herein as a trustlet. Additionally or alternatively, process 400 may utilize a secure kernel signing key, which may be considered an external TrEE. The trustlet may be nested or run on a secure kernel associated with TrEE. The signing key can be used to certify the public key of the key pair generated by TrEE. This will be described in more detail below.

  [0037] According to the process 400, after the initialization of the TrEE in operation 402, the requestor 120 can request an attestation report or statement from an attestation service at operation 406. FIG. 4B illustrates an example process for obtaining a certification report or report from certification service 424. In the example of FIG. 4B, the requestor 120, at act 426, receives a certificate log at boot that contains the TrEE 140 (trustlet) public key (IDK_E) or TrEE (secure kernel) signature key (IDK_S). (TCG log) can be created. Then, in operation 428, requestor 120 may submit the TCG log to certification service 424. In some cases, TPH 150 may direct a certification service trusted by TPH 150, or requestor 120 may select this certification service. In operation 430, the certification service 424 examines the TCG log and issues a TrEE health certificate (THC) based on the TrEE 140 (secure kernel) encryption key (IDK_E) and / or signing key (IDK_S). be able to. The certification service 242 may then return the THC (also referred to herein as a certification report) to the requestor 120 at operation 432.

  [0038] Having obtained the certificate report in operation 406, the requestor 120 may send a request for this certificate report and protected data to the TPH 150 in operation 408 instead of the TrEE 140. The THC or certificate report contains the item name of the requestor 120 (to create a binding between the requester's identity determined during authentication and the certificate) and the response when formulating the response. A key (eg, an encryption key or a signature key) to be used by the responder (TPH 150) can be stored.

  In one aspect, tamper-proof identification information, such as a trusted platform module (TPM) encryption key (EK), is associated with the requestor 120. Proof of the requestor 120 can be performed using TPM EK, as is known in the art.

  [0040] In an aspect, the TrEE, via the issuance policy (OID) object identifier (OID), which may be out of band or may be part of the THC, sends the TPH 150 via the requestor 120. Can also tell whether the key is an encryption key or a signing key. The choice between the keys to use can affect the choice of the mechanism used to structure the response, as described above. Importantly, proof of possession of the private key that backs the certificate is not required by the TPH 150. This is simply because, if the wrong certificate is given, the requester 120 cannot resolve the response at all, since the requester cannot access the corresponding private key.

  5A and 5B illustrate an example process 500 for delivering protected data to an untrusted requesting nested TrEE. In some embodiments, more than one TrEE may be nested such that one TrEE is contained within another TrEE. As referred to herein, a trustlet is a nested TrEE contained in an outer TrEE. In one example, the outer TrEE may include a secure kernel of a trusted part of the operating system, such as a particular partition of memory associated with a virtual trust level. This will be described in more detail below with reference to FIG. Process 500 may be utilized, for example, when only the outer TrEE encryption key is available. In some cases, the outer TrEE may be the secure kernel of the machine that instantiated the trustlet.

  [0042] Process 500 may begin at operation 502, where requestor 120 invokes a trustlet having a "session identifier" determined by requestor 120. The session identifier is an identifier relating to or identifying which content or data the trustlet acts on, an identifier relating to the user of the trustlet (eg, a streaming content application trustlet for playing a “specific title”), etc. May include any type of identifier. In one example, the session ID may be a 32-bit value. This value can be stored and may be read-only for the lifetime of the trustlet and is available to the secure kernel when receiving a message targeting the trustlet. Is also good. There may be no value for this (not specified at process startup), in which case the session ID can be assumed to be zero.

  [0043] Next, in operation 504, the requestor 120 can authenticate to the TPH 150 (optional, as described above, but very limited, such as when there is no actual difference between the requestors). It is optional only in circumstances). One example where it is desired that there be a binding between a TrEE (eg, a TrEE key) and the identity of the requestor, to illustrate, by way of example, the playback of a movie-like content item requires a license or subscriber When it is constrained by validation (e.g., a NetFlex user wants to obtain a license to play a movie, but NetFlex wants to make sure that it is its subscriber that licenses the movie (these Inside TrEE)).

  [0044] The requestor 120 may obtain a certificate report from a certificate service trusted by the TPH 150 at operation 506, such as according to the process 406 described above with reference to FIG. 4B. . Next, the requester 120 can submit a certificate report to the TPH 150 at operation 508. It should be noted that in the example of clean room provisioning described above, it is admitted that certification is not required and may be true here.

  [0045] Upon receiving the certificate report, at operation 510, the TPH 150 may verify the certificate report (or, in the case of the previous clean room provisioning example, based on the identity of the requestor). Look up the key). At this point in the process 500, the requestor 120 knows which key to use to address the outer TrEE. In one aspect, the key obtained from the certificate or request may include an indication with the request or certificate that the key is an outer TrEE or secure kernel (and not an inner trustlet) cryptographic key. Yes, or can be communicated to TPH 150 in other ways or out of band, such as by setting as a default procedure. Next, in operation 511, the TPH 150 may transfer the protected data indicated in the request, for example, from the KMS 115 or one or more services holding licenses, passwords, permissions, and / or other information. , Can be obtained from any other entity holding the protected data.

  [0046] The TPH 150 may determine at operation 512, for example, based on a request or based on the TPH 150 itself, which trustlet type to target (eg, a specific purpose such as NetFlix). Alternatively, each TPH 150 can be specifically designed for the application). In an example utilizing a KP, as described above with reference to FIG. 1C, the trustlet type may be encoded in the KP. In some other examples, the trustlet type may be set by default or hard coded, as in embodiments utilizing HGS 150a. In the HGS example, the HGS 150a may always target a virtual mode secure process (VMSP) trustlet. This trustlet type may be hard-coded (since KP does not contain that information).

  [0047] When determining the trustlet type to be targeted, TPH 150 may construct a message containing the protected data to send to TrEE at operation 514. A more detailed example of operation 514 is shown in FIG. 5B.

  [0048] In an aspect, operation 514 can further include operation 536, where TPH 150 generates two random symmetric keys, a transfer key TX and a wrapping key TW. The TPH 150 may then encrypt the TX using the public key at the THC (part of the certificate report) at operation 538 (eg, the THC is based on a cryptographic key rather than a signing key). Suppose). In certain aspects, operation 538 may include encrypting TX with the host's IDK using RSA encryption and OAEP padding. In some aspects, the TPH 150 may be acted upon in operation 540, eg, that the trustlet is authorized or has the correct permissions to access the protected data (eg, paid for online services or content items). ), The session ID of the trustlet can be verified. In some cases, the session ID may include a trustlet type, but in other examples, the trustlet type may be encoded into a KP or even hard coded. The TPH 150 may then encrypt the TW using TX in operations 542 and 544, concatenating the trustlet type and the trustlet's session ID and using it as an "authentication tag." Can be. It should be noted that the use of authentication tags is an artifact of the AES-GCM protocol, and that other encryption protocols use different schemes to achieve the same effect. The idea behind the authentication tag is to bind the TW with the trustlet type and session ID so that they cannot be disconnected by an attacker during transmission. There are several other ways to accomplish this using cryptography. AES-GCM is described herein because it provides this function natively and is therefore advantageous.

  [0049] The TPH 150 may then send the encrypted TX and the authenticated encryption of the TW to the requestor 120 in operation 546. Returning to FIG. 5A, after receiving a message 516 that may be generated by the operation of FIG. 5B and / or may include protected data encrypted in a manner similar to the TW, the requestor 120 may operate At 518, the message can be forwarded to a trustlet. Since the trustlet is unable to decrypt the message (trying to retrieve it in the TW), the trustlet can pass the message to the secure kernel in operation 520. Alternatively, the requester 120 may send a response to the secure kernel, bypassing the trustlet, which will inform the trustlet of new information when it decrypts the TW.

  [0050] Next, in operation 522, the secure kernel decrypts the TX using the secret encryption key, then decrypts the TW using the TX, and uses the authentication tag to determine the correct session. It can be verified that the correct trustlet type with the ID is requesting to decrypt the message. If the authentication tag has been verified, at operation 524 the secure kernel may return the TW to the trustlet. The trustlet can then use the received TW to decrypt whatever the TW is encrypting, such as protected data, which can be of any size.

  [0051] In an aspect, the secure kernel configures one or more processes, as defined by one or more APIs, to receive, decrypt, and pass messages to the correct trustlet being targeted. Can be implemented. The API can receive an encrypted message targeted to a particular trustlet and decrypt the TX using the secret part of the IDK (Secure Kernel Identity Encryption Key). The API can assemble its own authentication tag using the concatenation of the trusting type of the calling trustlet and the session ID as a tag (provided for obvious security reasons. Authentication tags cannot be used). The trustlet type and session ID can then be obtained. If successful, the API can then use the TX to decrypt the TW. If successful, the API can then return the TW to the trustlet.

  [0052] In one example, the received message may include the following information. The number of versions (for example, 0), the transfer key encryption protocol ID (for example, RSA2048), the transfer key encryption padding ID (for example, OAEP), the wrapping key encryption protocol ID (for example, AES-GCM), and the length of the transfer key ciphertext The length of the wrapping key authentication tag (ignored), the length of the wrapping key ciphertext, and the transfer key ciphertext, the wrapping key authentication tag (ignored), and the wrapping key ciphertext. It should be appreciated that this is only one of many ways in which a message can be assembled.

  [0053] In an aspect, in one or more of the systems or processes 100, 300, 400, or 500 described above, the process / system 100 implements a resource or a virtual secure mode (VSM). It can also be implemented in a virtual machine. The VSM and related concepts in the context of a virtual machine are entitled "Virtual Secure Mode for Virtual Machines" and are filed on Feb. 21, 2014, US patent application Ser. 186,415 (U.S. Patent Application Publication No. 2015/082305). FIG. 6 illustrates a system or host operating system 600 that includes a VSM computing environment divided into different virtual trust levels VTL0 610 and VTL1 615. System 600 may be an embodiment that further embodies one or more aspects of system 100a, 100b, or 100c, such as a cloud host 180 that includes a computing environment operating in a VSM. VTL0 610 may include a user mode 620 and a normal kernel mode 630, and VTL1 615 may include a user mode 625 and a secure kernel mode 635. The different VTLs can be provided, for example, by a hypervisor running on a physical computing component or a virtual computing resource (eg, one or more virtual machines), where the hypervisors are VTL0 610 and VTL1 615 and Interact and define VTL0 610 and VTL1 615 with restrictions on access to memory for specific processes and the like. In the illustrated example, VTL1 615 may be more protected than VTL0 610, such that more sophisticated access is required to read and / or write data or code associated with VTL1. VTL0 610 may correspond to requestor 120, while VTL1 615 may correspond to TrEE140. System 600 is described below as utilizing KP700. However, this is shown only as an example, and the same effect can be obtained even if the system 600 uses the above-described certification / authentication scheme without using the KP.

  As described with reference to system 600, client application 650 / VTL0 610 of host 600 may correspond to requestor 120, while VTL1 615 and more specifically VTL1 615 secure -The kernel 635 may correspond to the TrEE140. In an aspect, trustlet 640 may correspond to a nested trustlet described with reference to process 500. In certain aspects, system 600 may implement process 500 described above. In other examples, system 600 may implement processes 800 and / or 900 described below with reference to FIGS. 8 and 9, with the main difference between processes 500 and 800 being that a trustlet is initialized. The use of KPs for the transformation and the use of a specific embodiment of the HGS 150a instead of the more comprehensive TPH 150.

  [0055] As shown, one or more TrEEs or trustlets 640 may reside in user mode 625 of VTL1 615. In an aspect, one or more trustlets 640 can be accessed or associated with a virtual machine secure process (VMSP) 645. A 650 (client), including client operations, applications, programs, etc., can operate in user mode 620 of VTL0 610. The server 655 resident in the user mode 625 of the VTL1 615 can communicate with the client 650 via the RPC 660. As shown, client 650 requests the initiation of trustlet 640 to perform one or more secure operations via one or more RPCs 660, for example, utilizing VMSP 645. be able to. In another aspect, server 655 may initiate trustlet 640 without receiving an explicit request from client 650. In either case, server 655 may initiate trustlet (s) 640, where the particular trustlet type identifies the parameters of the trustlet and the session ID is that of trustlet 640. Identify a specific instance. In an aspect, the trustlet type may be initialized by a data structure including KP 405, as described above in system 100c with reference to FIG. 1C. FIG. 7 shows an example of a data structure including a KP such as KP700.

  [0056] The data structure 700 may include a key protector (KP) 705. This is a US patent application Ser. No. 14/481, filed Sep. 9, 2014, entitled “Secure Transport of Encrypted Virtual Machines with Continuous Owner Access”. No. 3,399 (US Patent Application Publication No. 2015/3181896), which is a cryptographic wrapping of a cryptographic key (here, a transport key TK). KP 705 ensures that access to TK 710 and / or other protected data is provided only to authorized entities. TK 710 is a key that is delivered to TrEE 140 and can be wrapped by KP 705, or in some cases by a wrapping key or TW. TK 710 may also be considered a valuable secret. In some cases, TK710 can be decrypted in KMS115.

  [0057] The data structure 700 can also include virtual machine data (VMD) 730, and the virtual machine data 730 can include data for initializing a trustlet. VMD 730 can be encrypted using a suitable encryption technique, such as BitLocker available from Microsoft Corporation of Redmond, Washington. A full volume encryption key (FVEK) 725 can be used to decrypt the VMD 730 and can be protected by a virtual trusted platform module (VTPM). The state (725) is encrypted and stored with the KP 705 as part of the metadata. In some aspects, FVEK 725 may be encrypted with a volume master key (VMK) 720. The VTPM state 725 itself is encrypted using the key wrapped by KP705. In some aspects, the VTPM 725 may use the TK710 (a valuable secret) and a “sealing” on the PCR value so that the TPM allows access to the key material, eg, decryption, if the PCR value is in the expected state. seal) data (eg, PCR7). In this case, the TPM protector is a data structure that is provided to the TPM to unseal any secret if one or more PCRs are in the expected state. In other cases, non-TPM protectors can be used as well.

  [0058] The volume master key (VMK) 720 can be opened by the VTPM 725. The VTPM state 725 can be encrypted by the TK 710 inside the KP 705. In some cases, VMK 720 may be a Bitlocker Volume Master Key, which may be marked as a low value secret.

[0059] Each field or block of the KP 700 can also be described in terms of what it encrypts, such as in cryptographic (key, data) notation.
VMD _DISK : Encryption (FVEK, plaintext disk data)
FVEK _DISK : Encryption (VMK, FVEK)
VMK _DISK : Encryption (VMK)
V _TPMDISK : Encryption (TK, V _TPM )
TK _DISK : Encryption (KP, TK)
KP: The KP is associated with the VM and the trustlet never actually sees it. The KP goes to the KMS, which decrypts it and returns the TK to the trustlet (via the targeting mechanism described above). TK decrypts vTPM, which opens VMK and generates FVEK.

[0060] In one example, the KP 405, V _TPM state 415, VMK 420, and VMD 430 may be data stored on a disk. The V _TPM state 415 may be initialized when the V _TPM is created, as long as it is ensured that it is unique. For example, for runtime uniqueness of generated secret or protected data, VTPM relies on the security of the RNG provided by the secure kernel. After the trustlet decrypts the VTPM state 415 using the decrypted TK 710, the remaining operations to access the VMD 730 are the same or similar to the operations performed between the physical machine and the physical TPM. Good. These operations include the VTPM performing VSM measurements, opening the VMK using the VTPM measurements (which will result in supplying the FVEK 725 to the operating system loader), and the operating system. The system may include decrypting the VMD 730 using FVEK 725.

  [0061] To activate a trustlet, client 650 may request and / or receive data structure 700. The client 650 can send the KP 705 or the entire data structure 700 to the TPH 150 (or, in one embodiment, the HGS 150a), and the TPH 150 can communicate with the KMS 115 to decrypt the TK 710. The TPH may then target the TK 710 in the secure kernel 635 associated with the trustlet 640 using the IDK_pub 665, for example, by the process 800 described below. The secure kernel 635 can obtain IDK_pub and IDK_pri at startup. Secure kernel 635 can decrypt TK 710 and return it to server 655 using its private key 675 (eg, IDK_pri). The server 655 may then distribute the TK 710 to the trustlet 640. In some cases, secure kernel 635 may return TK 710 directly to trustlet 640. In one aspect, the protected data can be delivered to the trustlet 640 along with the TK 710 and encrypted by the TK 710. Thus, the trustlet 640 can use the TK 710 to decrypt the protected data.

  [0062] FIG. 8 illustrates the use of a TrEE or trustlet identity key to transfer a transport key and / or protected data encrypted with the transport key to a TrEE or a specific trustlet. Shows an example process 800 for leading to. More specifically, process 800 shows how to target a trustlet with the cryptographic key of the trustlet's secure kernel.

  [0063] The cloud fabric host or host OS (eg, host OS 600) performs a series of steps to receive a transport key. The cloud fabric host first, in operation 602, according to the process described above with reference to FIG. 4B, for example, a cryptographic identification key of a secure kernel associated with the TrEE or trustlet ( A build TrEE Health Certificate (THC) can be obtained around the IDK_E). In one aspect, operation 602 can include creating a certification log (TCG log) by a host at boot containing a public version of IDK_E, wherein the secret portion of IDK_E is the VSM associated with the trustlet. Exists in the Secure Kernel (SK). The certification log can be presented to a certification service (AS). The AS can inspect this certification log and issue the THC (eg, the public part of the asymmetric key) created around the IDK_E to the host. In one aspect, like IDK_E, a “signature identification key” (DDK_S) can also be created, and as described in more detail below with reference to FIG. 9, the signature identification key is a separate signature created around it. It can have THC. A solution to the key distribution problem can be built using either IDK_E or IDK_S, as described below.

  [0064] When it is time to load a new shielded VM, the host obtains the VM's KP and initiates a conversation with the TPH (eg, TPH 150) at operation 804. Its purpose is to inject the TK encrypted by the KP into the VMSP trustlet.

  [0065] To exchange the KP for a TK, the host may submit the KP and the "translet identity" to the TPH, such as TPH 150, along with the THC in operation 806. The cloud fabric host may also initiate a trustlet or TrEE with a “Session ID” (KPSID) derived from the KP at operation 808. In certain aspects, the received KP forms the basis for the session ID value by creating a SHA-2 hash for it or utilizing other one-way functions. The TPH checks the THC at operation 822 and decrypts the KP, such as KMS 115, or other entity that owns, or protected data and / or KP, at 824 to decrypt the KP and access the TK. It can communicate with other entities that have access to the key. In operation 826, the TPH may target a trustlet with the calculated KPSSID using, for example, a special cryptographic configuration, as described above with reference to process 500.

  [0066] The requestor or client 650 may receive the response from the TPH and forward it to the trustlet with the given KPSID. The trustlet or server may request the SVM secure kernel to decrypt the response and return it to TK at operation 810. The secure kernel examines the response in operation 812 and validates that it targets the trustlet type and the trustlet's session ID, and if there is a match in operation 818, Returns only the key. For this reason, even if the response of the TPH falls into the wrong hands, it is impossible to understand the meaning cryptographically. Upon receiving the key, the host decrypts and provides the key to the TrEE in operation 820, at which point the process 800 may end.

  FIG. 9 illustrates another example process 900 for using a secure kernel signing key to direct a transport key and / or protected data encrypted with the transport key to a trustlet. Show. More specifically, process 900 illustrates a method of targeting a trustlet with a cryptographic key of the trustlet certified by a secure kernel signing key.

  [0068] Process 800 illustrates how a response can be indirectly directed to a trustlet by an identification encryption key shared among all trustlets. However, if the TrEE has a verifiable identification signature key, other techniques may be used. Here, each trustlet can generate its own encryption key pair and have the secure kernel prove it using the public key portion of this pair, IDK_S. It should be noted that such certification also requires that the key be cryptographically bound to the trustlet type and the session ID of the trustlet.

Proof of key = σIDK_S (Trustlet_Encryption_Key_Pub, Trustlet_Type, Session_ID)
Here, σIDK_S indicates the concatenation of its inputs (), followed by the signatures for these inputs, using the given key.

  In this case, the requestor presents the trustlet's key to the TPH, along with the THC and key certification, and the TPH is transported to the transport key as differentiated from the process 800 in operations 822 and 824. By encrypting it into the trustlet's encryption key.

  [0069] In one aspect, the "security version number" (SVN) also prevents other types of attacks and ensures that the TrEE is not old and not a potentially vulnerable version. May be used or indicated in the key certificate. In some cases, if the secure kernel has been certified, but the inner trustlet has not been done (e.g., the trustlet has been loaded with a demand after the certificate has already been made), then the SVN of the trustlet is By including, the TPH 150 can be instructed to refuse to target the older vulnerable trustlet, even though the THC is OK.

  [0070] One of the differences between the two approaches of processes 800 and 900 is what enforces the binding between the trustlet or TrEE ID, the session ID, and the transport key. In process 800, it is a secure kernel, and in process 900, it is TPH150. Another major difference is how the response is structured cryptographically. In the former case, the response is directed to the secure kernel, which then determines which trustlets are allowed to see the response. In the latter case, the response is directed directly to the trustlet, and the trustlet's key is certified by a secure kernel key.

  [0071] In certain aspects, the techniques described above may also be implemented to accommodate full credential isolation for a container. The basic problem is the same: the container only needs to request credentials from its host. The host can then request credentials from some KMS on behalf of the container. If the requested credential is returned to the host unencrypted (for example, the credential arrived on demand and is not part of the container image), a "late credential" binding). While this binding is beneficial, it does not lead to separation of credentials, and if a host is compromised, the credentials will be disclosed.

[0072] In embodiments, the disclosed embodiments may be implemented as a computing system comprising:
[0073] Processor.

  [0074] A memory that is communicatively coupled to the processor and stores instructions. Execution of the instructions by the processor causes the computing system to perform the following operations.

  [0075] The act of receiving a request for protection data from a requestor associated with a nested TrEE, a secure kernel certification report, and a key certification statement. Here, the nested TrEE includes a trustlet that runs on a secure kernel, and the key certificate report binds the trustlet's public encryption key and trustlet ID.

An operation of extracting protected data.
Operation of encrypting the protected data with the public encryption key of the trustlet.
[0078] Operation of transmitting encrypted protected data to a request source.

[0079] In an embodiment, the key certificate report is generated by the secure kernel using the signing key.
[0080] In the embodiment, the signature key proves the public encryption key of the trustlet among the public key-private key pair generated by the trustlet.

[0081] In an embodiment, the trustlet ID includes a trustlet type, or a trustlet type and a session ID.
[0082] In an embodiment, the key certificate report is generated by the secure kernel using the signing key, binding the trustlet's public key, trustlet type, and session ID.

[0083] In an embodiment, when the instructions are executed by a processor, the instructions cause the computing system to perform operations including the following.
Operation of comparing a trustlet ID with a list of authorized trustlet IDs.

[0085] When the trustlet ID is associated with the list of authorized trustlet IDs, an operation of encrypting only the protected data with the public encryption key of the trustlet.
[0086] In an embodiment, a method for delivering protected data to a nested trusted execution environment (TrEE) comprising a trustlet executing on the outer TrEE can be implemented. Here, both the trustlet and the outer TrEE are associated with an untrusted requestor. The method includes the following steps.

  [0087] Receiving, by the targeting protocol head, a request for protected data from a requestor associated with the nested TrEE, an outer TrEE certificate report and a key certificate report, the key certificate report comprising: The report binds the trustlet's public encryption key and the trustlet ID.

[0088] Retrieving the protected data by the targeting protocol head.
[0089] Encrypting the protected data with the public encryption key of the trustlet.

[0090] Sending the encrypted protected data to the requestor.
[0091] In an embodiment, the key certificate report is generated by the outer TrEE using the signing key.

[0092] In the embodiment, the signature key proves the public encryption key of the trustlet among the public key-private key pair generated by the trustlet.
[0093] In an embodiment, the trustlet ID includes a trustlet type, or a trustlet type and a session ID.

  [0094] In an embodiment, the key certificate report is generated by the outer TrEE using the signing key and binds the trustlet's public key, trustlet type, and session ID.

[0095] In an embodiment, the method further includes the following steps.
[0096] Comparing the trustlet ID with a list of authorized trustlet IDs by the targeting protocol head.

  [0097] Encrypting the protected data with the trustlet's public encryption key by the targeting protocol head only if the trustlet ID is associated with the list of authorized trustlet IDs.

[0098] In an embodiment, the method further includes the following steps.
[0099] Sending the encrypted protected data to the trustlet by the requestor.

[00100] Decrypting the encrypted protected data by the trustlet using the trustlet's private encryption key corresponding to the trustlet's public encryption key.
[00101] In an embodiment, the protected data includes a wrapping key.

  [00102] In an embodiment, a computer-readable storage medium can be implemented that includes instructions for delivering protected data to a nested trusted execution environment (TrEE) that includes a trustlet executing on a secure kernel. The medium includes the instructions, and when the instructions are executed on the computer system, causes the computer system to perform at least the following operations.

  [00103] An operation of receiving a request for protected data from a requestor associated with a nested TrEE, a certificate report of a secure kernel, and a key certificate report, wherein the key certificate report is a trustlet. Is bound with the public encryption key of the trustlet.

[00104] Operation to extract protected data.
[00105] Operation of encrypting protected data with a trustlet's public encryption key.
[00106] Operation of sending encrypted protected data to the requestor.

[00107] In an embodiment, the key certificate report is generated by the secure kernel using the signing key.
[00108] In an embodiment, the signing key attests to the trustlet's public encryption key of the public key-private key pair generated by the trustlet.

  [00109] 18. 17. The computer-readable storage medium according to claim 15, wherein the trustlet ID includes a trustlet type, or a trustlet type and a session ID.

  [00110] In an embodiment, a key certificate report is generated by the secure kernel using the signing key, binding the trustlet's public key, trustlet type, and session ID.

  [00111] In embodiments, the instructions further include instructions that, when executed by the computing system, cause the computing system to perform at least the following operations.

[00112] Operation of comparing a trustlet ID with a list of authorized trustlet IDs.
[00113] Operation of encrypting protected data with a public encryption key of a trustlet only when the trustlet ID is associated with a list of authorized trustlet IDs.

  [00114] The techniques described above can be implemented on one or more computing devices or environments, as described below. FIG. 10 illustrates an example of a general-purpose computing environment that may embody, for example, one or more of the requestor 120, TrEE 140, TPH 150, host OS 600, AS 424, and KMS 115. Some of the techniques described herein may be implemented. Computing system environment 1002 is only one example of a suitable computing environment and is not intended to imply any limitations as to the scope or functionality of the disclosed subject matter. Neither should the computing environment 1002 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment 1002. In certain embodiments, the various illustrated computing elements can also include circuits configured to instantiate certain aspects of the present disclosure. For example, the term circuitry as used in this disclosure can include special hardware components configured to perform a function or functions by firmware or switches. In another example embodiment, the term circuit comprises general purpose processing units, memory, etc., and is constituted by software instructions embodying logic operable to perform the function (s). In example embodiments where the circuit includes a combination of hardware and software, an implementer may write source code that embodies the logic, which source code may be processed by a general-purpose processing unit. , Can be compiled into machine readable code. One of ordinary skill in the art should be able to recognize that the state of the art has evolved to such a point that there is little difference between hardware, software, or a combination of hardware / software, so that hardware to implement specific functions is Choosing between software and software is only a design choice left to the implementer. More specifically, those skilled in the art will recognize that a software process can be transformed into an equivalent hardware structure, and that the hardware structure itself can be transformed into an equivalent software process. In other words, the choice between the hardware embodiment and the software embodiment is one of the design choices and is left to the implementer.

  [00115] Computer 1002 may include a mobile device or any of a smart phone, tablet, laptop, desktop computer, or a collection of networked devices, cloud computing resources, and the like. And typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 1002 and includes both volatile and nonvolatile media, removable and non-removable media. System memory 1022 includes computer-readable storage media in the form of volatile and / or non-volatile memory, such as read-only memory (ROM) 1023 and random access memory (RAM) 1060. The basic input / output system 1024 (BIOS) contains the basic routines that help transfer information between elements inside the computer 1002, such as during start-up, and is typically stored in ROM 1023. RAM 1060 typically contains data and / or program modules that are immediately accessible to and / or presently being processed on processing unit 1059. By way of example, and not limitation, FIG. 10 illustrates operating system 1025, application programs 1026, other program modules 1027 including TrEE targeting application 1065, and program data 1028.

  [00116] Computer 1002 may also include other removable / non-removable, volatile / non-volatile computer storage media. By way of example only, FIG. 10 illustrates a hard disk drive 1038 that reads or writes to a non-removable non-volatile magnetic medium, a magnetic disk drive 1039 that reads or writes to a removable non-volatile magnetic disk 1054, and a CD. Shown is an optical disk drive 1004 that reads from or writes to a removable non-volatile optical disk 1053, such as a ROM or other optical media. Other removable / non-removable, volatile / non-volatile computer storage media that can be used in the exemplary operating environment include magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tapes, Examples include, but are not limited to, solid state RAM, solid state ROM, and the like. Hard disk drive 1038 is typically connected to system bus 1021 via a non-removable memory interface such as interface 1034, and magnetic disk drive 1039 and optical disk drive 1004 are typically It is connected to the system bus 1021 by a removable memory interface such as 1035 or 1036.

  [00117] The drives and their associated computer storage media discussed above and illustrated in FIG. 10 provide storage of computer readable instructions, data structures, program modules, and other data for the computer 1002. In FIG. 10, for example, a hard disk drive 1038 is shown as storing an operating system 1058, application programs 1057, other program modules 1056, and program data 1055. Note that these components can either be the same as or different from operating system 1025, application programs 1026, other program modules 1027, and program data 1028. Operating system 1058, application programs 1057, other program modules 1056, and program data 1055 are given different numbers here, at least to indicate that they are different copies. is there. A user can enter commands and information into the computer 1002 via input devices, such as a keyboard 1051 and a pointing device 1052, commonly referred to as a mouse, trackball, or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, retinal scanner, and the like. These and other input devices are often connected to the processing unit 1059 via a user input interface 1036 coupled to the system bus 1021, but may include a parallel port, a game port, or a universal serial port. Other interfaces, such as a bus (USB), and a bus structure may be used. A monitor 1042 or other type of display device is also connected to the system bus 1021 via an interface, such as a video interface 1032. In addition to the monitor, the computer may also include other peripheral output devices, such as speakers 1044 and printer 1043, which may be connected via output peripheral interface 1033.

  [00118] Computer 1002 may also operate in a networked environment with logical connections to one or more remote computers, such as remote computer 1046. Remote computer 1046 may be a personal computer, server, router, network PC, peer device, or other general network node, and typically includes many or all of the elements described above with respect to computer 1002. Although shown in FIG. 10, only a memory storage device 1047 is shown. The logical connections shown in FIG. 10 include a local area network (LAN) 1045 and a wide area network (WAN) 1049, but may also include other networks. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, the Internet, and cloud computing resources.

  [00119] When used in a LAN networking environment, the computer 1002 can connect to the LAN 1045 via a network interface or adapter 1037. When used in a WAN networking environment, computer 1002 typically includes a modem 1005 or other means for establishing communication over WAN 1049, such as the Internet. Modem 1005 may be internal or external and may be connected to system bus 1021 via user input interface 1036 or other appropriate mechanism. In a networked environment, program modules depicted relative to the computer 1002, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation, FIG. 10 illustrates remote application program 1048 as residing on memory device 1047. It will be appreciated that the network connections shown are examples and other means of establishing a communications link between the computers may be used.

  [00120] In an aspect, the other program 1027 can also include a TrEE targeting component or application 1065 that includes functionality as described above. In some cases, TrEE targeting application 1065 may perform some or all of the operations of processes 300, 400, 500, 800, and / or 900.

  [00121] Each of the processes, methods, and algorithms described in the preceding sections may be embodied in a code module executed by one or more computers or computer processors, and may be fully or partially automated by the code module. can do. The code module can be stored on any type of non-transitory computer readable media or computer storage device, such as a hard drive, solid state memory, optical disk, etc. The processes and algorithms may also be partially or wholly implemented in application specific circuits. The results of the disclosed processes and process steps can be stored permanently or otherwise in any type of non-transitory computer storage, such as, for example, volatile or non-volatile storage. The various features and processes described above may be used independently of one another, or may be combined in various ways. All possible combinations and sub-combinations are intended to fall within the scope of the present disclosure. In addition, certain methods or process blocks may be omitted in some embodiments. The methods and processes described herein are not limited to any particular sequence, and the blocks or states involved may be performed in any other appropriate sequence. For example, the blocks or states described may be performed in any order other than those specifically disclosed, and multiple blocks or states may be combined into one block or state. Examples of blocks or states may be performed sequentially, in parallel, or in some other manner. Blocks or states can be added or deleted from the disclosed example embodiments. The example systems and components described herein may have different configurations than those described. For example, elements can be added, deleted, or reconfigured as compared to the disclosed example embodiments.

  [00122] Also, various items have been shown to be stored in memory or on storage while in use, and these items or portions thereof may be used for memory management and data integrity purposes. It will be appreciated that, for this, it may be transferred between memory and another storage device. Alternatively, in other embodiments, some or all of the software modules and / or systems may execute in memory residing on other devices and communicate with the illustrated computing system via inter-computer communication. . Further, in some embodiments, some or all of the systems and / or modules may be implemented or provided in other ways, such as at least in part in firmware and / or hardware, and may include firmware and / or The hardware includes one or more application specific integrated circuits (ASICs), standard integrated circuits, controllers (eg, controllers that execute appropriate instructions, including microcontrollers and / or embedded controllers), Includes, but is not limited to, field programmable gate arrays (FPGAs), composite programmable logic devices (CPLDs), and the like. Also, some or all of the modules, systems, and data structures may be computer readable, such as a hard disk, memory, network or portable media item, for reading by appropriate drives or via appropriate connections. It can also be stored on a medium (eg, as software instructions or structured data). The term "computer-readable storage medium" and variations thereof, as limited to this specification and claims, do not include waveforms, signals, and / or other temporary and / or intangible communication media. Also, the systems, modules, and data structures may reside in a data signal (e.g., a carrier or other analog or digitally propagated signal) generated on a variety of computer readable transmission media, including wireless and wired / cable media. (Eg, as a part) and may take various forms (eg, as part of one or a multiplexed analog signal, or as multiple discrete digital packets or frames). Such a computer program product may take other forms in other embodiments. Thus, the present disclosure can be implemented in other computer system configurations.

  [00123] In particular, "can", "could", "may", "may", "for example" (eg), etc. As such, the conditional expressions used herein are generally in the form of particular features, unless otherwise stated or otherwise understood in the context in which they are used. It is intended to convey that elements and / or steps are included, but other embodiments do not. In other words, such conditional wording is generally not intended to imply that features, elements, and / or steps are more or less necessary for one or more embodiments, or One or more embodiments may require the input or prompting of an author as to whether these features, elements, and / or steps are included in, or performed in, any particular embodiment. It is not intended to imply that logic that determines whether or not there is necessarily included. Terms such as "comprising", "including", "having" and the like are synonymous and used inclusively and do not exclude additional elements, features, acts, acts, etc. . Also, the term "or" is used in its inclusive sense (and not its exclusive meaning) so that, for example, when used to connect a list of elements, "or" The term "means one, some or all of the elements in the list.

  [00124] Although specific embodiments have been described above, these embodiments have been presented by way of example only, and are not intended to limit the scope of the invention disclosed herein. That is, in the above description, nothing is intended to imply that any particular feature, characteristic, step, module, or block is required or essential. Indeed, the novel methods and systems described herein may be embodied in various other forms, and furthermore, various omissions, changes, and modifications in the form of the methods and systems described herein. Can be performed without departing from the spirit of the invention disclosed in this specification. The appended claims and their equivalents are intended to cover such forms and modifications as fall within the true scope and spirit of the invention disclosed herein.

Claims (15)

A computing system,
A processor,
A memory communicatively coupled to the processor for storing instructions;
When the instructions are executed by the processor,
Receiving a request for protected data from a requestor associated with the nested TrEE, a certificate report of the secure kernel, and a key certificate report, wherein the nested TrEE is configured to store the secure kernel on the secure kernel; Actuating the key certificate report to bind a trustlet public encryption key and a trustlet ID; and
An operation of extracting the protected data;
An operation of encrypting the protected data with the trustlet public encryption key;
Sending the encrypted protected data to the requestor;
Causing the computing system to execute.   The computing system of claim 1, wherein the key certificate report is generated by the secure kernel using a signing key.   3. The computing system of claim 2, wherein the signing key attests to the trustlet public encryption key of a public-private key pair generated by the trustlet.   The computing system of claim 1, wherein the trustlet ID comprises a trustlet type, or a trustlet type and a session ID.   5. The computing system of claim 4, wherein the key certificate report is generated by the secure kernel using a signing key, the trustlet public key, the trustlet type, and the session ID. A computing system that binds 2. The computing system of claim 1, wherein the instructions are executed by the processor.
Comparing the trustlet ID with a list of authorized trustlet IDs;
Encrypting the protected data with the trustlet public encryption key only if the trustlet ID is associated with the list of authorized trustlet IDs;
A computing system that causes the computing system to perform operations that include: A method of delivering protected data to a nested trusted execution environment (TrEE) comprising a trustlet executing on an outer TrEE, wherein both the trustlet and the outer TrEE are associated with an untrusted requestor, the method comprising: But,
Receiving, by a targeting protocol head, a request for protection data from a requestor associated with the nested TrEE, a certificate report of the outer TrEE, and a key certificate report, the key certificate report comprising: Signing a trustlet public encryption key and a trustlet ID.
Extracting said protected data by said targeting protocol head;
Encrypting the protected data with the trustlet public encryption key;
Sending the encrypted protected data to the requestor;
Including, methods.   The method of claim 7, wherein the key certificate report is generated by the external TrEE using a signing key.   9. The method of claim 8, wherein the signing key certifies the trustlet public encryption key of a public key-private key pair generated by the trustlet.   The method of claim 7, wherein the trustlet ID comprises a trustlet type or a trustlet type and a session ID.   11. The method of claim 10, wherein the key certificate report is generated by the outer TrEE using a signing key, binding the trustlet public key, the trustlet type, and the session ID. Method. The method of claim 7, further comprising:
Comparing said trustlet ID with a list of authorized trustlet IDs by said targeting protocol head;
Encrypting the protected data with the trustlet public encryption key by the targeting protocol head only if the trustlet ID is associated with the list of authorized trustlet IDs;
Including, methods. The method of claim 7, further comprising:
Sending the encrypted protected data to the trustlet by the requestor;
Decrypting the encrypted protected data by the trustlet using a trustlet private encryption key corresponding to the trustlet public encryption key;
Including, methods.   The method of claim 7, wherein the protected data includes a wrapping key. A computer readable storage medium comprising instructions for delivering protected data to a nested trusted execution environment (TrEE) comprising a trustlet executing on a secure kernel, said medium containing the instructions and comprising: When the instruction is executed at least,
Receiving a request for protected data from a requestor associated with the nested TrEE, a certificate report of the secure kernel, and a key certificate report, wherein the key certificate report comprises Binding the public encryption key and the trustlet ID,
An operation of extracting the protected data;
An operation of encrypting the protected data with the trustlet public encryption key,
Sending the encrypted protected data to the requestor;
A computer-readable storage medium that causes a computer system to execute.

Images